RanserKD ransomware uses Imgur to store infection data

September 2, 2016

Ransomware continues its steady upward trend and it seems that almost daily there is a new Ransomware family or variant spreading across the internet. The RanSerkD family is fairly recent and is one of the rare families that use large hosting sites such as DropBox or in this case Imgur as part of its infection cycle.

Infection Cycle:

The Trojan uses the following icon:

The Trojan reports infection over UDP to a variety of IP addresses in the 37.x.x.x block:

It also uses an image album hosted on imgur.com to keep track of infections:

The files uploaded to Imgur use valid PNG file format headers in order to be accepted by Imgur's servers. The rest of the file contains the infected system information and details on files that were encrypted:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempOyowVgCc.exe [Detected as GAV: RanSerKD (Trojan)]
  • %USERPROFILE%Local SettingsTempuoislYbV.html
  • %USERPROFILE%Recent!Recovery_aV26PK.html.lnk
  • %USERPROFILE%Recent!Recovery_aV26PK.txt.lnk
  • %USERPROFILE%Start MenuProgramsStartupFKsDUFe5.lnk

The Trojan encrypts various files on the system and appends ".cry" to their filenames. After encrypting files and deleting desktop icons the following files are dropped onto the desktop:

They contain the following message:

The message refers to a link hosted on the TOR anonymity network. The link provides information on how to pay for retrieving the encrypted files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: RanSerKD (Trojan)